molecule-ai/molecule-core
49
0
Fork 2
Code Issues 146 Pull Requests 159 Actions 5 Packages Projects Releases Wiki Activity

fix(tests): make SSRF and admin-token tests hermetic against env vars #1703

Merged
hongming merged 3 commits from fix/test-hermeticity-env-guards into main 2026-05-23 20:01:39 +00:00
Conversation 4 Commits 3 Files Changed 7
+34

3 Commits

Author SHA1 Message Date
Molecule AI Dev Engineer A (Kimi) b4cc4e2e22 fix(tests): add ADMIN_TOKEN guards to middleware and router tests
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 9s
Details
CI / Detect changes (pull_request) Successful in 11s
Details
CI / Python Lint & Test (pull_request) Successful in 8s
Details
E2E Chat / detect-changes (pull_request) Successful in 8s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 11s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Has been skipped
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 16s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 14s
Details
Harness Replays / detect-changes (pull_request) Successful in 7s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 5s
Details
Lint no tenant GITEA or GITHUB token write / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 6s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Successful in 54s
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 38s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
Details
security-review / approved (pull_request) Failing after 6s
Details
qa-review / approved (pull_request) Failing after 8s
Details
gate-check-v3 / gate-check (pull_request) Successful in 11s
Details
sop-checklist / review-refire (pull_request) Has been skipped
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
sop-checklist / all-items-acked (pull_request) Successful in 6s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m2s
Details
CI / Canvas (Next.js) (pull_request) Successful in 6s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m56s
Details
E2E Chat / E2E Chat (pull_request) Successful in 5s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 1m50s
Details
Harness Replays / Harness Replays (pull_request) Successful in 6s
Details
CI / Platform (Go) (pull_request) Successful in 5m41s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / all-required (pull_request) compensating
Details
audit-force-merge / audit (pull_request) Successful in 6s
Details 
Additional environment-sensitive tests that inherited ADMIN_TOKEN:

- wsauth_middleware_test.go: 6 AdminAuth tests that expect fail-open
  or bearer-token behavior without an ambient admin secret
- admin_test_token_route_test.go: fresh-install fail-open test

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-23 09:37:06 +00:00
Molecule AI Dev Engineer A (Kimi) 5727ff4323 fix(tests): add env guards to registry, security, and provision tests 
Additional tests that inherited MOLECULE_ORG_ID or ADMIN_TOKEN from the
container environment and failed:

- registry_test.go: TestValidateAgentURL (strict RFC-1918 checks)
- security_regression_685_686_687_688_test.go: fresh-install fail-open
  tests that need ADMIN_TOKEN unset to pass through the AdminAuth gate
- workspace_provision_test.go: issueAndInjectToken tests that verify
  token injection into ConfigFiles (skipped in SaaS mode)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-23 09:37:05 +00:00
Molecule AI Dev Engineer A (Kimi) 65c1dca85e fix(tests): make SSRF and admin-token tests hermetic against env vars 
Tests in mcp_test.go assumed strict (non-SaaS) SSRF mode but inherited
MOLECULE_ORG_ID from the container environment, causing isSafeURL and
isPrivateOrMetadataIP to allow RFC-1918 ranges and fail.

Tests in admin_test_token_test.go assumed no ADMIN_TOKEN gate but
inherited ADMIN_TOKEN from the environment, causing 401 instead of
the expected 200/404.

Add t.Setenv guards to both files so each test controls its own
environment and passes regardless of ambient env vars.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-23 09:37:05 +00:00